|This is the talk page for discussing improvements to the LXC article.|
Does it support file descriptor passing across isolation contexts?
Most unices support a mechanism to 'pass' a file descriptor through a socket. (http://archives.neohapsis.com/archives/postfix/2000-09/1476.html) For example, you might have a virus scanning daemon running as an unpriviledge user, and then to scan a file, a client can pass an open file descriptor over the socket to the virus scanning daemon. The scanning daemon can then read that file to search for viruses, even though it is running under a user that normally cannot access the file.
Does LXC allow file descriptor passing of this type between security contexts?
- Please note that Wikipedia talk pages are for discussing *changes* to the article, and not a support forum for the product in question. (WP:TALK, WP:NOTFORUM) -- intgr [talk] 15:00, 12 November 2012 (UTC)
- Let me clarify. Right now, the article starts with "LXC ... method for running multiple isolated Linux systems (containers) on a single control host." (emphasis mine). I am saying that the term 'isolated' has gradations of meaning. That is why the Operating system-level virtualization article has a table describing that isolation in at least 9 dimensions (they call it 'features'). My question (I was the original poster) was meant to get more information to improve the article.220.127.116.11 (talk) 03:42, 13 November 2012 (UTC)
As far as I can see, passing file descriptors through Unix sockets works between namespaces, just as Unix sockets can be used between namespaces if their associated files are accessible. Have a look at this explanation and net/unix/af_unix.c for Unix sockets and namespaces in general, and net/core/scm.c and its scm_fp_copy() for actual handling of SCM_RIGHTS. No namespaces-related checks are there, as far as I can see.